Axel Foley is alive and well, and reportedly doing highly classified work for the government. The United States Government Accountability Office (GAO) just released a stunning report on the state of cyber ‘insecurity’ in many of our major weapons systems. Using the highly effective ‘banana in the tailpipe’ methodology, the GAO was able to perform low-level attacks against classified weapons systems and gain the ability to disrupt, degrade and potentially destroy critical parts of the systems.
According to reports, “Testers were able to disrupt systems, change and download data. They also found that they could shut down parts of a system by simply scanning for cyber flaws. In one case, they were able to entirely take over a weapons system in just one day. One team of hackers was even able to send a message asking that users insert at least two quarters in order to continue using a system.”
The GAO found weapons and systems used default passwords. In many other cases, access was achieved using “relatively simple tools.” In one test, it took all of nine seconds to gain access.
The problem is many articles that have been written about this major issue quote defense experts saying this should be a wake-up call for the Department of Defense.
This ‘wake-up call’ has been ongoing since 1991, according to the GAO.
In 1991, the National Research Council wrote that “as computer systems become more prevalent, sophisticated, embedded in physical processes, and interconnected, society becomes more vulnerable to poor system design, accidents that disable systems, and attacks on computer systems. Without more responsible design and use, system disruptions will increase, with harmful consequences for society.”
Wake up call number two was perhaps the most dangerous of all. According to a 1996 GAO report, “Attackers have seized control of entire Defense systems, many of which support critical functions, such as weapons systems research and development, logistics, and finance. Attackers have also stolen, modified, and destroyed data and software. In a well-publicized attack on Rome Laboratory, the Air Force’s premier command and control research facility, two hackers took control of laboratory support systems, established links to foreign Internet sites, and stole tactical and artificial intelligence research data.”
But it didn’t stop there.
In early 1998, then-President Bill Clinton was threatening airstrikes against Iraq for refusing to cooperate with United Nations inspectors, an order he eventually gave that December resulting in a four-day bombing campaign code-named Operation Desert Fox. But it almost didn’t happen. In February of that year, while the Pentagon was planning for a strike, a worst-case scenario presented itself. Attackers had gained access to over 20 systems. They downloaded passwords, installed sniffers and back doors into critical components. According to an oft-used naval term, it was “all hands on deck.” The Army, Navy Air Force, NSA, CIA, FBI and DOJ were working around-the-clock to stop the digital hemorrhaging, now code-named Operation Solar Sunrise.
Richard Clarke, at that time the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism at the National Security Council, stated “For days, critical days, as we were trying to get forces to the Gulf, we didn’t know who was doing it. We assumed therefore it was Iraq.”
Except it wasn’t.
According to John Hamre, deputy secretary of defense, Solar Sunrise was “the most organized and systematic attack the Pentagon has seen to date.” The big question was who. Who possessed the necessary sophistication, tools, tradecraft and logistics to pull off this monumental intrusion? Which elite group of hackers brought the Pentagon to its knees during a critical time of war planning? Could there be a spy in their midst?
Through the collective efforts of numerous agencies, agents and analysts, the perpetrators were finally identified and arrested. The notorious hackers were ‘Stimpy’ and ‘Mak,’ two 14-year olds from Northern California. Sifting through the detritus of their separate bedrooms, information was discovered that led to their mentor — an 18-year Israeli with the handle of “The Analyzer.”
The rest of Clarke’s statement foreshadowed our modern cyberspace warfare: “If two 14-year-olds could do that, think about what a determined foe could do.”
Now the DoD has possession of a report that proves, once again, good people for a lot of wrong reasons have hit the snooze button on yet another wake-up call. The GAO report begins with why they did this study. The first sentence is truly mind-boggling: “DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems.”
That’s trillion with a ‘T’. Our government is about to spend $1.66 trillion on building future weapon systems that are so inadequately protected our adversaries won’t have to deploy sophisticated hacking tools or conduct risky espionage operations. They simply need to take a lesson from Axel Foley and some cartoon characters, and do the modern version of the banana in the tailpipe.
With a price tag in the trillions, we can’t afford any more ‘wakeup calls.’ Hopefully DOD isn’t drinking decaf these days for their morning coffee.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.